WannaCry Ransomware’s Global Impact; Bromium Offers Protection

This is a special rapid response blog to breaking news about the WannaCry ransomware attack that is now being seen in more than 100 countries. We’ll be updating our blog with additional news as we learn more.

Updated at 4pm on Saturday, May 13 with demo video (below) and this link to updated news specifically about NHS and what happened.

Updated 4pm on Sunday, May 14, with a link to this article that says WannaCry2 is imminent. Start patching and when you’re ready to go a different route, call us for a demo.

Updated Thursday, May 18, with clarification about how we went at WannaCry – from an email attachment point-of-view as referenced here. It’s within that context, we prepared this information.

“No x-rays/bloods/bleeps/phones/notes.
This is unprecedented.
It will be a miracle if no-one comes to harm.”

This dramatic tweet from an National Health Service (NHS) doctor based in Manchester indicates the seriousness of today’s global ransomware event.

Around lunchtime in the UK, various computers with in the NHS started to fall victim to what appears to be a variant of the wannacrypt ransomware also called WannaCry. At the time of writing it appear that as many as two thirds of NHS trusts are affected and patients are being turned away. Updated on Saturday: NHS is back on track.

It now appears that the event is not targeted and very much global with organisations in China, UK, USA and others affected. The costs of this attack will be extremely high and repercussions will be felt for some time.

Full details of how the attack started are not yet known but reports indicate that once it is active on an endpoint the malware spreads through the organisation’s network using the NSA’s EternalBlue SMB attack which was recently leaked. This results in the WannaCry malware being able to move through the rest of the network without any further user interaction which is extremely damaging as it can spread very quickly and leaves very little time for the security team to react.

Customers fully-deployed with Bromium’s isolation technology are protected at the endpoint.

The infected file isolated within the micro-VM (learn about virtualized security) is unable to connect to the local intranet due to the network isolation technology known as “Containment” which is designed to prevent exactly this sort of lateral movement through a computer network (watch it work). Containment works by preventing DNS resolution and connections to IP addresses used on the corporate network from untrusted uVMs which could potentially be running malicious code, the result is that the malware is unable to find its way around the network. This technique will neutralise the EternalBlue SMB attack. Bromium Customers: please click here to check your settings.

Please note: This demonstration shows one example—malicious documents—of how ransomware like WannaCry can enter your network. Bromium stops WannaCry ransomware in its tracks. We use virtualization to contain threats – from applications, downloads, files, and while browsing – and you can then choose to let it run or shut it down.

Expect to see more of this sort of attack in the coming months and it is advisable to patch Windows as soon as possible. When the EternalBlue attack was leaked, Microsoft patched all modern versions of windows making the attack ineffective.

Windows XP is NOW HAS a patch!

When we wrote this on Friday night, we advised Windows XP machines should be isolated as much as possible; Internet access should be removed and isolated from the rest of the network. Since then, Microsoft has come out with a patch. Learn more.

WannaCry is moving quickly around the world. This snapshot from 5pm Friday, PT.

James Wright is Senior Director of Engineering at Bromium and responsible for the delivery of Bromium's end point security products. He lives in Cambridge and enjoys technology, music, cycling and writing about himself in the third person. You can find out more about him on LinkedIn.